[Bug 963587] Re: Trousers fails to set tpm permissions properly.

kimj emailadhoc at yahoo.com
Mon Dec 23 10:33:55 UTC 2013 

as a temporary workaround, I hacked trousers' init script:

        start)
                log_daemon_msg "Starting $DESC" "$NAME"

                if [ ! -e /dev/tpm* ]
                then
                        log_warning_msg "device driver not loaded, skipping."
                        exit 0
                fi
                chown tss:tss /dev/tpm*
                chown -R tss:tss /var/lib/tpm
                start-stop-daemon --start --quiet --oknodo --pidfile /var/run/${NAME}.pid --user ${USER} --chuid ${USER} --exec ${DAEMON} -- ${DAEMON_OPTS}
                RETVAL="$?"
                log_end_msg $RETVAL
                [ "$RETVAL" = 0 ] && pidof $DAEMON > /var/run/${NAME}.pid
                exit $RETVAL
                ;;

I simply added:

                chown tss:tss /dev/tpm*
                chown -R tss:tss /var/lib/tpm

and now the daemon starts. The change of ownership of /var/lib/tpm
should however be done by the package postinst script, and the change of
ownership on the tpm device via udev; a permissions check should still
be added to the init script, and maybe some 'form' of temporary
remediation too

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to trousers in Ubuntu.
https://bugs.launchpad.net/bugs/963587

Title:
  Trousers fails to set tpm permissions properly.

Status in “trousers” package in Ubuntu:
  Triaged

Bug description:
  
  root at antarus-precise:~# apt-get install trousers
  Reading package lists... Done
  Building dependency tree       
  Reading state information... Done
  The following NEW packages will be installed:
    trousers
  0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
  Need to get 0 B/138 kB of archives.
  After this operation, 431 kB of additional disk space will be used.
  Selecting previously unselected package trousers.
  (Reading database ... 135516 files and directories currently installed.)
  Unpacking trousers (from .../trousers_0.3.7-2ubuntu1_amd64.deb) ...
  Processing triggers for ureadahead ...
  Processing triggers for man-db ...
  Setting up trousers (0.3.7-2ubuntu1) ...
  Adding system user `tss' (UID 115) ...
  Adding new group `tss' (GID 126) ...
  Adding new user `tss' (UID 115) with group `tss' ...
  Not creating home directory `/var/lib/tpm'.
   * Starting Trusted Computing daemon tcsd
     ...fail!
  invoke-rc.d: initscript trousers, action "start" failed.
  dpkg: error processing trousers (--configure):
   subprocess installed post-installation script returned error exit status 137
  Errors were encountered while processing:
   trousers
  E: Sub-process /usr/bin/dpkg returned an error code (1)

  In the postinst:

          configure)
                  # Adding tss system user
                  adduser --system --home /var/lib/tpm --shell /bin/false --no-create-home --group tss

                  # Setting owner
                  chown tss:tss /var/lib/tpm -R
                  chown tss:tss /etc/tcsd.conf

                  # Setting permissions
                  chmod 0600 /etc/tcsd.conf
                  chmod 0700 /var/lib/tpm

                  # we ship udev rules, so trigger an update
                  udevadm trigger --subsystem-match=misc --action=change
                  udevadm settle

                  ;;

  However udev seems to not like this:

  Mar 24 00:39:14 antarus-precise udevd[31861]: specified user 'tss' unknown
  Mar 24 00:39:14 antarus-precise udevd[31861]: specified group 'tss' unknown

  root at antarus-precise:~# ls -al /dev/tpm0 
  crw------- 1 root root 10, 224 Mar 24 00:39 /dev/tpm0

  Because the device is not owned correctly, tcsd fails to start and
  breaks apt :/

  root at antarus-precise:~# lsb_release -rd
  Description:    Ubuntu precise (development branch)
  Release:        12.04

  Release:        12.04
  root at antarus-precise:~# apt-cache policy trousers
  trousers:
    Installed: 0.3.7-2ubuntu1
    Candidate: 0.3.7-2ubuntu1

  I expect the udev rules to take affect, so the daemon can start
  properly.

  Example:
  root at antarus-precise:~# chown tss:tss /dev/tpm0
  root at antarus-precise:~# ls -al /dev/tpm0
  crw------- 1 tss tss 10, 224 Mar 24 00:39 /dev/tpm0
  root at antarus-precise:~# start-stop-daemon --start --user tss --chuid tss --exec /usr/sbin/tcsd
  root at antarus-precise:~# ps
    PID TTY          TIME CMD
   4038 pts/6    00:00:00 sudo
   4039 pts/6    00:00:00 bash
   4686 pts/6    00:00:00 ps
  root at antarus-precise:~# ps -u tss
    PID TTY          TIME CMD
   4685 ?        00:00:00 tcsd

  What happened instead?
  root at antarus-precise:~# apt-get install trousers
  Reading package lists... Done
  Building dependency tree       
  Reading state information... Done
  trousers is already the newest version.
  0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
  1 not fully installed or removed.
  After this operation, 0 B of additional disk space will be used.
  Do you want to continue [Y/n]? y
  Setting up trousers (0.3.7-2ubuntu1) ...
  The system user `tss' already exists. Exiting.
   * Starting Trusted Computing daemon tcsd
     ...fail!
  invoke-rc.d: initscript trousers, action "start" failed.
  dpkg: error processing trousers (--configure):
   subprocess installed post-installation script returned error exit status 137
  Errors were encountered while processing:
   trousers
  E: Sub-process /usr/bin/dpkg returned an error code (1)
  root at antarus-precise:~# ls -al /dev/tpm0
  crw------- 1 root root 10, 224 Mar 24 00:43 /dev/tpm0

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/trousers/+bug/963587/+subscriptions

More information about the foundations-bugs mailing list